Last month, the Information Commissioner’s Office (ICO) published a response to the government’s call for views and evidence on the draft EU Directive on Network and Information Security (NIS Directive). The ICO’s criticism stemmed from its experience with mandatory data breach notifications from the telecoms sector and included suggestions for modifying the proposed NIS Directive.
The Directive would require Member States to create national competent authorities (NCAs) to handle network information security risks and incidents, with the NCAs being notified about any major cybersecurity incidents affecting critical infrastructures, information society services and public administrators. The ICO generally welcomed the objectives, hoping that there will be a greater focus on security among European businesses.
The ICO felt the proposed NIS Directive did not clearly address how NCAs were meant to deal with incident notifications, noting that while monetary penalties can act as a useful motivator, adequate improvements will not be achieved if there is not emphasis on understanding the underlying cause of an incident. In addition, the requirement on “core service” providers to notify incidents required the setting of thresholds to prevent NCAs being flooded with trivial and inconsequential notifications.
The ICO also criticised the NIS Directive provision relating to disclosures of personal data in connection with a notification always being treated necessary and legitimate, and pointed that by default it will be unnecessary to know whose personal data was compromised. The ICO suggested the focus should be on ensuring the removal or minimisation of unnecessary personal data.
Lastly, the ICO pointed out the flawed idea of introducing harmonised security standards across Europe by highlighting that the pace of technological development will outstrip and outdate any measures before they can be agreed, and that a single standard of adequate security will not suit the myriads of organisations covered by the NIS Directive.
The ICO is not keen to take on the role of the UK’s NCA, stating it does not feel equipped to deal with notifications relating to security incidents unrelated to personal data, and suggested cooperation between itself and the NCA through a Memorandum of Understanding.